The Challenge of Managing Portable Devices

© Copyright 2009 American Health Information Management Association. All rights reserved.

The Challenge of Managing Portable Devices

Webinar April 21, 2009

Practical Tools for Seminar Learning

Disclaimer

AHIMA 2009 HIM Webinar Series i

The American Health Information Management Association makes no representation or guarantee with respect to the contents herein and specifically disclaims any implied guarantee of suitability for any specific purpose. AHIMA has no liability or responsibility to any person or entity with respect to any loss or damage caused by the use of this audio seminar, including but not limited to any loss of revenue, interruption of service, loss of business, or indirect damages resulting from the use of this program. AHIMA makes no guarantee that the use of this program will prevent differences of opinion or disputes with Medicare or other third party payers as to the amount that will be paid to providers of service. As a provider of continuing education the American Health Information Management Association (AHIMA) must assure balance, independence, objectivity and scientific rigor in all of its endeavors. AHIMA is solely responsible for control of program objectives and content and the selection of presenters. All speakers and planning committee members are expected to disclose to the audience: (1) any significant financial interest or other relationships with the manufacturer(s) or provider(s) of any commercial product(s) or services(s) discussed in an educational presentation; (2) any significant financial interest or other relationship with any companies providing commercial support for the activity; and (3) if the presentation will include discussion of investigational or unlabeled uses of a product. The intent of this requirement is not to prevent a speaker with commercial affiliations from presenting, but rather to provide the participants with information from which they may make their own judgments. This seminar's faculty have made no such disclosures.

Faculty

AHIMA 2009 HIM Webinar Series ii

John Parmigiani, MS, BES

John Parmigiani is president of John C. Parmigiani & Associates, LLC, a consulting firm in Ellicott City, MD, focused on helping healthcare organizations become compliant with healthcare regulations and move toward e-health. Mr. Parmigiani has over 35 years experience in information systems management. As former director of enterprise standards for the Health Care Financing Administration (now CMS), he was chairman of the government-wide HIPAA Administrative Simplification Security and Electronic Signature Standards Implementation Team that created the Security Rule, and was a member of the federal committee that oversaw the development and implementation of the HIPAA Transactions and Code Sets and the Privacy Rule.

Table of Contents

AHIMA 2009 HIM Webinar Series

Disclaimer ..................................................................................................................... i Faculty ......................................................................................................................... ii Presentation Overview .................................................................................................... 1 Session Objectives ...................................................................................................... 1-2 Regulatory Drivers Regulatory Drivers: Privacy & Security .................................................................. 3 Common Security Requirements .......................................................................... 3 CMS Guidance of Dec. 2006 ................................................................................ 4 Legal Basis for “Keeping Up with Technology” ....................................................... 4 Laptops/Mobile Devices/Remote Access Mobile Computing Devices .................................................................................. 5 Benefits of Mobility ............................................................................................. 6 From a Vendor Ad .............................................................................................. 6 Polling Question #1 ............................................................................................ 7 Handheld Vulnerabilities ...................................................................................... 7 Media Players ..................................................................................................... 8 Wireless Concerns .............................................................................................. 8 Data Losses/Leakages Types of Risk to Data.......................................................................................... 9 Healthcare Data Is At Risk .................................................................................. 10 Sources of Data Leakage .................................................................................... 10 Common Paths for Data Exposure ....................................................................... 11 Data Breach Costs & Impacts Data Breaches Are Common! .............................................................................. 12 Some Recent Healthcare Security Breaches (2008) .......................................... 12-13 The Cost of Data Loss ........................................................................................ 13 Data Breach Costs ............................................................................................. 14 Remediation Is More Expensive than Prevention .................................................. 14 Recent Data Breach Costs Are Shown to Be Astronomical and Long-lasting ............ 15 Government Enforcement on the Rise ............................................................ 15-16 Other Adverse Impacts ................................................................................. 16-17 Avoiding the Problem ......................................................................................... 17 Tools, Techniques, & Best Practices Enterprise-wide Management Solution ................................................................. 18 Data-Centric vs. Device-Centric ........................................................................... 19 Required Oversight ............................................................................................ 19 It’s 9:00 – Do You Know Where Your Data Is? ..................................................... 20 Mobile Devices .................................................................................................. 20 Mobile Security Policy ........................................................................................ 21 Training ............................................................................................................ 21 Communicating an Awareness of the Risks: ......................................................... 22

(CONTINUED)

Table of Contents

AHIMA 2009 HIM Webinar Series

Policies and Procedures Training ......................................................................... 22 Polling Question #2 ........................................................................................... 23 Mobile Device Security Best Practices ............................................................. 23-24 If there has been a loss ..................................................................................... 24 Physical Controls ............................................................................................... 25 Device Inventory ............................................................................................... 25 Back Up Log for Devices .................................................................................... 26 Travel Checklist ................................................................................................. 26 Technology Solutions ......................................................................................... 27 Security Controls ............................................................................................... 27 Emerging Authentication Safeguards on Mobile Devices ........................................ 28 Security Controls ............................................................................................... 28 Some helpful Tips to Prevent Mobile Loss ............................................................ 29 Data Loss Prevention Techniques ........................................................................ 29 Encryption: Preventing Unauthorized Access ........................................................ 30 Encryption ................................................................................................... 30-31 Comprehensive Data Security with Encryption ...................................................... 31 Mobile Device Security ....................................................................................... 32 Network Security? ............................................................................................. 32 Wireless Best Practices ...................................................................................... 33

Resource/Reference List ..................................................................................... 33 Conclusions In Conclusion ............................................................................................... 34-35

Audience Questions ....................................................................................................... 35 Thank You! .................................................................................................................. 36 Audio Seminar Discussion .............................................................................................. 36 Become an AHIMA Member Today ! ................................................................................ 37 Audio Seminar Information Online .................................................................................. 37 Upcoming Audio Seminars ............................................................................................ 38 AHIMA Distance Education online courses ....................................................................... 38 Thank You/Evaluation Form and CE Certificate (Web Address) .......................................... 39 Appendix .................................................................................................................. 40 Resource/Reference List ....................................................................................... 41 CE Certificate Instructions


AHIMA 2009 HIM Webinar Series 1

Notes/Comments/Questions

Presentation Overview

Session ObjectivesFederal and State Regulatory RequirementsRecent Losses and ImpactsTools, Techniques, and Best PracticesConclusionsQuestions and Answers

1

HIM Webinar

2




Session Objectives

Understand the regulatory dictates for protecting mobile sensitive dataBeing aware of the financial and adverse impacts to operations and reputation of your organization from lost dataLearn what steps to take to mitigate risk and the resulting liability of lost data and mobile devicesExamine best practices to guard against loss of sensitive and patient data in an increasingly mobile healthcare environment

3

HIM Webinar

4




Regulatory Drivers: Privacy & Security (Not just HIPAA)

USAHIPAA/HITECHFERPA21 CFR Part 1142 CFR Part 2PCIGLBASOXFISMAId theft: CA SB 1386 + 43 other states (Data Protection Acts) + DC, Puerto Rico /CA AB 1298- healthcare information-also AR & DE; paper added in some (MA)FTC Red Flags RuleJCAHONCQAOMB/NIST/CMS directives & guidance

InternationalEU Data Protection DirectiveJapanese Data Protection Law Canadian PIPEDABasel II

Laws, regulations, draft bills, and accreditation practices related to information security are many and growing.

5

Common Security Requirements

The many standards associated with security/privacy have a strong commonality of features:• Protect confidentiality of sensitive data at rest

and in transit• Restrict data access on need-to-know basis• Authentication/Access Controls/Audit Controls• Assure data integrity• Business continuity- system/data availability• Network protection• Security management process

• Administrative, Physical, Technical safeguard areas

The HIPAA Security Rule covers all of these requirements, socompliance with it also brings serendipity compliance with other

regulations!6




CMS Guidance of Dec. 2006

Guidelines/best practices to augment the HIPPA Security Rule• Mobile devices and removable media

that contain ePHI• Remote access to ePHI

Not a regulation but… ”CMS may rely upon this guidance in determining whether or not the actions of a covered entity are reasonable and appropriate for safeguarding the confidentiality, integrity, and availability of ePHI, and it may be given deference in any administrative hearing pursuant to 45 C.F.R. section 160.508 (c)(1), the HIPAA Enforcement Rule”

7

Legal Basis for “Keeping Up with Technology”

The T.J. Hooper caseNew Jersey coast (1928) – storm comes up,tug loses barge, and cargo of coalPlaintiff: Barge owner – captain was negligent because he had no weather radio, which was relatively new but was seeing widespread use even though not mandatedDefendant: Tug captain – didn’t have the resources ($) to have a weather radioDecision (1932): Judge Learned Hand –Barge owner wins Rationale: to avoid negligence, keep up with technological innovations – they set the “standard of care” in the industry

8




HIM Webinar

9

Mobile Computing Devices

LaptopsTabletsPocket PC PDAsiPAQ BlackBerrySmartphonesPicture PhonesThumb DrivesEtc.

What else? More being created as we speak!! 10




Benefits of Mobility

Laptops and other point of care devices make it much easier to record clinical data and to transmit the data back to the office for billing and other purposes or within and outside of the organization for patient treatment

It also makes it much easier for your staff to carry very large volumes of patient information with them to the patient’s home and to their home and

It provides an environment for ubiquitous access

BUT…This also creates the possibility of having all of that information lost or stolen.

11

EVERY 53 SECONDS A LAPTOP IS STOLEN!It’s not a matter of IF, it’s a matter of WHEN!

Answer these questions: Do your employees have confidential or sensitive data stored on their PCs and laptops? Do you believe some users write down PC login passwords on sticky notes, notebooks or PDAs? When employees or contractors leave the company are you always assured of the immediate return of every computer?

From a Vendor Ad

12




Polling Question #1

Has anyone in the audience experienced the loss of a portable device containing PHI?

a) Yesb) Noc) Don’t know

13

Handheld Vulnerabilities

14

Man-in-the-middle

Trojan Horses

VirusesDigital Camera

SD Card

Bluetooth

Device Databases

Unapproved Applications

WiFi

IrDA “Beaming” Port

14




Media Players

>80 GB of storage• Not just music/video• Not easy to encrypt• Only basic (rudimentary) logon

15

Wireless Concerns

RisksUnsecured wireless networks• Home• Airports• Hotels• Coffee shops• Libraries• Hospital waiting rooms and public areas

16




HIM Webinar

17

Types of Risk to Data

Content Risk• Level of sensitivity from most confidential to not

confidential

User Risk• Insider• Outsiders

• Known (Business Associates – need to contractually bind)• Strangers

How• When being processed as part of a system• When being transmitted• When being copied from one format to another• When being stored

18




Healthcare Data Is At Risk

Healthcare information exchange via EMR / PHR / EHR portals are becoming priorities; growth and push toward information sharing (HIEs)As data becomes easier to access and share it also becomes more exposedWhat is the risk?• Identity theft• Medical ID theft• Financial fraud• Medical history becoming a commodity - converted to “credit”

and “applicant” data• Bad PR! No one wants a security breach to become front page

news!

Basic security such as passwords is not enough19

Sources of Data Leakage

PHI Loss• Potential harm to patient

• Identity theft – credit card/financial• Medical identity theft

Insider (75%)• Sensitive data not protected• Malicious handling/theft• Takes sensitive data on mobile device which is then lost

or stolen

Outsider• Malicious break-in and theft either physically or through

network• 65% of terrorist attacks are targeted at businesses not

governments 20




Common Paths for Data Exposure

Corporate e-mailWeb 2.0 postings• Twitter, Facebook, MySpace (Social Media)

Webmail communicationsFile Transfer Protocols (FTP), Instant Messaging (IM), Peer-to-Peer (P2P) and other network file transfer mechanismsUSB and removable storage mediaUnsecured business partner/business associate communications

21

HIM Webinar

22




Data Breaches Are Common!

Data breaches are almost always caused by human error

Over 20% of the US population have had their personal information lost or stolen already by 2007*

* Estimated to be at 90% by 2010> by Gartner

23

Some Recent Healthcare Security Breaches (2008)…

Palo Alto Medical Foundation (Santa Cruz, CA) – laptop (1K persons affected)Horizon BC/BS – laptop (300K)Lifeblood (TN) – Laptop (300+K)HealthNet Federal Services – (100+K)BC/BS Western New York – laptop (40K)Dental Network (NH) – web (75K)WellPoint (IN) – (120+K)WellCare Health Pans (GA) – (71K)Staten Island University Hospital – (88K)

24




Some Recent Healthcare Security Breaches (2008)

University of Utah Hospitals and Clinics – stolen tapes (2.2 M)Florida Agency for Healthcare Administration – (55K)HealthNet – laptop (5K)Fallon Community Health Plan – computer (4K)Wake County Emergency Services – laptop (5K)University of Minnesota – flash drive (3.1K)Memorial Hospital (IN) – laptop (4+K)University Health Care (UT) – laptops (4.8K)Etc. …

25

The Cost of Data Loss

2008

• Avg. total cost/breach all industries*$13.8M (large corporations/organizations)$202/recordavg. cost of a healthcare breach was $282/record

• Small organizations (physician practice): ~$350K**

• Current economic environment will spur even greater losses:December 2008 report issued by the Identity Theft Resource Center, an advocacy group based in San Diego, predicted increased numbers of incidents, with more sophisticated schemes targeting unemployed people, consumers with poor credit, and homeowners facing foreclosure

*Ponemon Institute**FBI and Computer Security Institute 26




Data Breach Costs

84% of all organizations have suffered at least one breach in last 12 months *

>250 M consumer records compromised since January, 2005 *

Average cost per record to remediate a breach in 2009 was $202 (but a healthcare breach was $282/)**; Forrester (2008) warns a breach in 2009 could cost $305/record (discovery, notification, lost productivity, fines, legal fees, lost business, etc.

*Privacy Rights Clearinghouse** Ponemon Research

27

Remediation Is More Expensive than Prevention…

Notification Letter

$1.50-2.00 per individual

Fines / Penalties

$1000-$250,000 per incident

Call Center

Credit monitoring

$60 per person

$10 to $31 per call

Legal Fees

$10,000+

Loss of consumer confidence

Priceless*Source: Estimates based on various news media reports

An ounce of prevention really is cheaper than a pound of cure!

28




Recent Data Breach Costs Are Shown to Be Astronomical and Long-lasting!

• TJX, BJ’s & PETCO must submit to biennial outside security audits for 20 years and submit copies of assessments including training materials to FTC; TJX data loss currently estimated at $296M and counting; additionally, BJ’s was hit with $13M in private lawsuits

• Florida – companies fined $1,000/day ($50,000/month after 30 days) for every day they fail to disclose a data breach

• Montana – failure to disclose a privacy violation: $10,000

• Etc., etc.

29

Government Enforcement on the Rise

Providence Settlement –OCR’s first “Resolution Agreement”What went wrong: • ePHI that was not encrypted or otherwise properly

safeguarded was lost or stolen• Backup tapes, optical disks, and laptops, all containing

unencrypted ePHI were removed from Providence premises and left unattended

• Media and laptops comprising ePHI for over 386,000 patients was lost

• Management lapses • Providence had an encryption policy but it was not

followed or enforced• Employees were allowed to take home media with ePHI

despite a policy to the contrary and with full knowledge of IT and managers over a long period of time

30




Government Enforcement on the Rise

Providence Settlement – OCR’s first “Resolution Agreement”: $$ + …Corrective Action Plan:• Physical safeguards governing the off-site:

• storage of backup media containing ePHI• Transportation of backup media

• Physical safeguards governing the physical security of portable devices containing ePHI

• Technical safeguards regarding encryption:• Of backup media containing ePHI• Of portable devices containing ePHI

• Other technical safeguards regarding• Backup media• Portable devices

31

Other Adverse Impacts

Potential Harm to Patients• Identity Theft/Medical Identity Theft

• According to the FTC, identity theft is the fastest-growing crime in the US– Affected more than 10 million Americans in 2008– Gartner study in 2006 estimated that there is a new victim every 2+ seconds

• Credit Card/Financial Fraud• Black Market Price Ranges

(2008 Symantec Internet Security Threat Report Trends)– Full set of identity information: $10 - $150– Stolen credit card: $.05 - $5

• Patient safety• Lawsuits

• The federal courts have consistently ruled that HIPAA does not create a private cause of action. A violation of HIPAA may lead to a complaint with the Office of Civil Rights, but it does not give the individual the right to sue the provider.

• Although HIPAA does not provide a means to sue providers for disclosures of PHI, state laws do provide ways to sue providers.

32




Other Adverse Impacts

Bad PR• Regardless of the circumstances, the public perception will

be that the agency “doesn’t care” about privacy. This perception can undermine patients’ confidence in your agency, which can lead them to other providers.

• Public relations problem may be a long term issue.

Financial Losses• Civil penalties, lawyers’ fees, civil litigation, loss of business

due to harm to corporate goodwill, costs of responding to a breach, costs of remediation, etc., all add up very quickly.

• Loss of a $1,000 laptop containing ePHI can quickly escalate into five or six figures in losses.

• Cleaning up a data breach can cost up to 15 times per record as much as implementing strong encryption (at least 128 bit AES) according to Gartner.

33

Avoiding the Problem

The best way to avoid this kind of liability is to prevent the losses from happening.

You cannot prevent every potential problem, but taking reasonable measures can eliminate a great deal of the problems.

Having appropriate safeguards in place, can reduce the risks and provide concrete evidence that you are concerned about patient privacy.

34




HIM Webinar

35

Enterprise-wide Management Solution

Cross-platform device support for various client typesConfiguration managementDevice monitoring• When was last time an application was accessed• Software installation (version) and distribution• Inventory and asset control – scans to alert any changes in

hardware and software• Remote control – to diagnose and correct faults• What devices are deployed, where, by whom, what’s

installed on them, access rights and authorization privileges• Enable monitoring, when connected to the network, to

ensure compliance with corporate policies

36




Data-Centric vs. Device-Centric

Sensitivity of data determines the protectionData classificationAccess controlInformation Rights Management• Tying access rights and authorization

privileges to the data

37

Required Oversight

Ownership challenges• Company owned and issued• Personally owned

Inventory• What devices are in use?• What information is being stored?

Accountability• Physical security• Lost or stolen devices

38




It’s 9:00 –Do You Know Where Your Data Is?

Where is sensitive data stored?• Network storage• Distributed storage• Workstations• Mobile systems

How is the data moving (transmitted)?• Mobile systems• Webmail• IM• USB• CDROM

Each of these should be covered by policies

Especially now with e‐Discovery: need to know where it is

and be able to retrieve it quickly

39

Mobile Devices

You need to know:What mobile devices exist in your organization?Who has them and what are their privileges?What software exists on them?What data is allowed on them?What data is actually on them?Has that data been backed up?Was that data protected from unauthorized access?

“You can’t manage what you can’t measure!” – Peter Drucker

40




Mobile Security Policy

Who, What, Where, When: “rules of engagement”• Establish rules for data ownership

(regardless of who owns the device)

Access requirements/Authorization privilegesAcceptable usage (mobile devices belong to the organization not the user; what data and files can be downloaded/ leave organization; remote connection standards)Required security measures and practices (password protection, anti-virus and firewall, encrypt sensitive data/files, enable device lock-down and kill)Processes for training, audit, and enforcement

41

Training

Educate staff about• Threats• Being aware when working in public• Responsibilities to protect corporate assets

TrainDon’t just tell them what to do,Show them how!

42




Communicating an Awareness of the Risks: Posters from the Univ. of Minnesota Academic Health Center

43

Policies and Procedures Training

Employees need to be constantly reminded of the company’s policies and procedures, the risks to the company for violations, and the risks to the employees for violations.

Employees when first trained might follow policies and procedures, but over time they can become lax.

NOTE: Sanctions and training are two very important parts of preventing a lost or stolen laptop, or any other security breach.

Your personnel are the weakest link in your security. Employees failing to follow policies and procedures are the biggest single source of security breaches.

44




Polling Question #2

Do you have formal mobile security policies in place and have you trained your staff on their use?

a) Yesb) Noc) Don’t know

45

Mobile Device Security Best Practices

Need to balance security with usability

Delete unnecessary information (only what is needed for the day’s activity on the device)

Do not use shared devices for ePHI (hotel computers or fax machines)

Have an incident response plan – notification as soon as possible after loss

Disable any functionality you don’t need (disable Bluetooth discoverable mode, turn off 802.11 wireless when not in use)

46

(Continued)




Mobile Device Security Best Practices

Need to balance security with usability

Encrypt sensitive information whenever possible

Sanitize obsolete mobile devices

Contractually bind business associates and make adherence to your corporate “rules of engagement” mandatory

47

If there has been a loss…

Once determined:• Report theft or disclosure• Can the laptop access your company network?• Can an individual use the laptop to access any web

based software or your office clinical software? (In other words, are there any stored passwords?)

• Do you need to take steps to ensure the laptop is not used to access your office computers?

• Tracing• Device reset• Remote kill

The ARRA, the Red Flags Rule, and numerous state data protection laws require a formal breach notification process to be in place.

48




Physical Controls

Cable locksLaptop alarmsDon’t leave unattended or in carsChecklists

49

Device Inventory

Keep original receipts at officeKeep copy of receipts if traveling• “Travel” means whenever device is removed from office

Make, model, serial number

Owner User Data Content

Used with permission of Margret\A Consulting, LLC 50




Back Up Log for Devices

Date/Time Full System Back Up

File Back Up Copy Sent to:

• Back up system and files on regular basis in accordance with company policy

• Back up files prior to any travel• When off site, send copy of files created or modified during

day to office as another backup


Travel Checklist

Device:

Precaution

Device has hard tattoo

Locks, keys, and cables are available

Strong password or other authentication for system access, application access, and file access as needed

Tracking and recovery software applied

Remote data protection applied

Device shut off, not in standby mode

Appropriate back up performed

Copy made and carried on portable storage device

Verified by: Date:

• Perform this check each time mobile device is removed from office• Instill accountability for device by leaving copy at company





Technology Solutions

Your policies and procedures are designed to prevent the theft or loss of a laptop. There are other steps you can consider to secure the laptop. There are also technologies you can use so that if a laptop is lost or stolen the information will be harder to retrieve.

53

Security Controls

Access ControlGaining physical access usually means complete control of the information stored on the devicePower-on password (protected at root level between BIOS and Operating System), password protected screen savers, auto logoffStronger authentication – use two-factor to restrict access • Pick one from each of Three Types of Factors

something you know - name, pin, user id, password, phrase

something you have - token, card, key, badgesomething you are - biometrics- fingerprint,

hand print, voice scan, iris scan, retina scan, palm vein scan 54




Emerging Authentication Safeguards on Mobile Devices

Smartphones with fingerprint readersDevices that can process handwritten signatures (entered with a stylus)Devices that can process voiceprints (entered by speaking a phrase over a smartphone)

Note: May still want to complement biometric with a password for cases when the biometric becomes unusable

55

Security Controls

Viruses and other malicious codeAntivirus software• Automatic updates

Some antivirus solutions won’t run on certain handheld devicesEven if a handheld is not affected by a virus, it can carry and transmit a virus

Adware and spyware detectionPersonal firewallsRegular patching

56




Some Helpful Tips to Prevent Mobile Loss

Password protect sensitive documents

Tracking and recovery products

Automatic backups to a secure web serverDon’t allow or minimize data kept on laptop or mobile device• Keep identity theft information off

(SSN, DOB, etc.)

Back-up data regularlyAutomatic log-off

57

Data Loss Prevention Techniques

Scan databases containing:• Patient demographic data• Patient health data

• Diagnostic and procedure codes• Inputs from RIS and PAC systems

• Patient financial dataPrevent any of the above from outgoing to unauthorized usersAudit to confirm access by the authorized recipients – business associates and other covered entities

58




Encryption: Preventing Unauthorized Access

HIPAA does not require providers to encrypt patient data - it is an addressable standardEncrypting EPHI on laptops and other portable devices can provide additional security, if lostMost experts agree data thieves are far more likely to obtain information by stealing hard-drives etc., (data at rest) instead of trying to intercept information in transit (data in motion)

But…OCR specifically required Providence to include policies and procedures regarding technical safeguards governing the use of Encryption

59

Encryption

Encryption software is becoming more and more accessible both from a cost and use standpointSome states have passed laws requiring encryption of customer personal information. Other states are considering similar legislation.Many of the state security breach notification laws provide an exception for data that is encrypted (safe harbor). Some states require encryption as well as encryption key management policies – designed to prevent decryption in the event person obtains data and encryption key.And… HITECH Act of ARRA: Says that any unsecured PHI must be made “unusable, unreadable, or indecipherable” to unauthorized individuals by a technology standard – sounds like “encryption” 60




Encryption

For data at rest• Laptops

• Built-in to Windows XP/Vista• File/Folder-based• Full disk

• Databases• Handheld devices- removable memory• Encryption of stored data (at least AES 128 bit)

For data in transit• Secure web connections• Virtual private networks (VPN)• Wireless networks• P2P file sharing

• File-level encryption is essential61

Requirement Preferred Solution

Encryption of all data on the main hard disk Full-disk encryption is the only solution that addresses this requirement

Encryption of all data on removable media Full-disk encryption is the preferred methodConsider other methods when sharing encrypted information on removable media

Encryption of data files, folders or containers

File, folder, container encryption

Protection from internal threats in media sharing environments

Encryption of granular data objects - disk partitions, containers, folders and files

Prevention of data leakage to removable media

Disk access controlsAutomatic ‘forced’ encryption of the media or files written to the media

Prevention of data leakage to the network or via e-mail

File encryption by file type and application association

Comprehensive Data Security with Encryption

62




Mobile Device Security

Ensure that you can• Implement software that will automatically

“clear data” for devices that are lost or stolen• Securely wipe obsolete/no longer in use

devices• Control the software loaded on them• Enforce device locking• Identify any additional access the devices can

apply to your internal network

63

Network Security?

64




Wireless Best Practices

Use secure networks• Private networks• Remote access via VPN• Web portals using SSL• Periodic scans (portable wireless scanner –

“stumbler” to find access points and ad hoc (peer-to-peer)nodes

• Have Intrusion Protection Systems/Intrusion Detection Systems (IPS/IDS) on servers that interface with portable devices

65

Resource/Reference List

• DRAFT Guide to Enterprise Telework and Remote Access Security: NIST SP 800-46 Rev. 1 www.csrc.nist.gov/publications/drafts/800-46Rev1/Draft-SP800-46r1.pdf

• User's Guide to Securing External Devices for Telework and Remote Access: NIST SP 800-114 www.csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf

• Guide to Storage Encryption Technologies for End User Devices: NIST SP 800-111 www.csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

• CMS Security Guidance for Remote Use www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf

66




HIM Webinar

67

In Conclusion…

Laptops and other mobile devices provide increased flexibility and efficiencies for caregivers at the point of care but with these benefits come inherent possibilities for data lossData loss can have adverse financial and operational impacts on the healthcare organization in the form of fines and penalties, both at the federal and state levels, and bad public relationsData loss can have impacts on patients in terms of patient safety and identity theft for financial and medical fraudBest approach is to prevent data loss rather than trying to do damage control after the fact

68




In Conclusion…

There are numerous, easily-applied tools and techniques to prevent the loss of sensitive data on mobile devices, but they must be practiced in conjunction with implementable policies, continuous staff training, communicated sanctions, and contractual protections through enforceable Business Associate AgreementsCompliance is a continuous processIn today’s environment, healthcare organizations should always be “audit ready”

69

Audience Questions




HIM Webinar

Audio Seminar Discussion

Following today’s live seminarAvailable to AHIMA members at

www.AHIMA.org“Members Only” Communities of Practice (CoP)

AHIMA Member ID number and password required

Join the e-HIM Community from your Personal Page. Look under Community Discussions for the Audio Seminar Forum

You will be able to:• discuss seminar topics • network with other AHIMA members • enhance your learning experience




Become an AHIMA Member Today!

To learn more about

becoming a member

of AHIMA, please visit our website

at www.ahima.org/membership

to join now!

AHIMA Audio Seminars and Webinars

Visit our Web site http://campus.AHIMA.orgfor information on the 2009 seminar schedule. While online, you can also register for seminars and webinars or order CDs, MP3s, and webcasts of past seminars.




Upcoming Webinars

The Intersections between E-Prescribing and HIMMay 19, 2009

The Legal Health Record and E-Discovery: Where You Need to BeJune 9, 2009

Auditing for Privacy and Security ComplianceJune 23, 2009

AHIMA Distance Education

Anyone interested in learning more about e-HIM® should consider one of AHIMA’s web-based training courses.

For more information visit http://campus.ahima.org




Thank you for joining us today!

Remember − visit the AHIMA Audio Seminars/Webinars Web site to complete your evaluation form and receive your CE Certificate online at:

http://campus.ahima.org/audio/2009seminars.html

Each person seeking CE credit must complete the sign-in form and evaluation in order to view and print their CE certificate.

Certificates will be awarded for AHIMA CEUs.

Appendix


Resource/Reference List ....................................................................................... 41 CE Certificate Instructions

Appendix


Resource/Reference List www.csrc.nist.gov/publications/drafts/800-46Rev1/Draft-SP800-46r1.pdf

www.csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf

www.csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf

To receive your

CE Certificate

Please go to the AHIMA Web site

http://campus.ahima.org/audio/2009seminars.html click on the link to

“Sign In and Complete Online Evaluation” listed for this webinar.

You will be automatically linked to the

CE certificate for this webinar after completing the evaluation.

Each participant expecting to receive continuing education credit must complete the online evaluation and sign-in information after the webinar, in order to view

and print the CE certificate.

The Challenge of Managing Portable Devices

Documents

Transcript of The Challenge of Managing Portable Devices